Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-612

Automate workaround for SELinux relabeling issue for large volumes

XMLWordPrintable

    • Strategic Product Work
    • False
    • False
    • OCPSTRAT-28Secure the Platform
    • 0% To Do, 0% In Progress, 100% Done
    • 0

      Epic Goal

         There is a known design limitation in k8s where files within a PV need to relabeled during the attachment process. Depending on the number of files and backend performance/load this can lead to timeout and pod creation failure or even worst with nodes moving to NotReady as the container runtime is unresponsive.

      STOR-966 aims to bring a native long term solution upstream but it will take several cycles to reach GA upstream and downstream OCP support.

      In the meantime we offer two workarounds described in this KCS, unfortunately customers are reluctant to use them as it requires the pods definitions to include additional parameters and there is no guarantees that OCP project users will use them leaving the environment open to this issue.

      The goal of this epic is to implement functionality to automate the suggested workaround so that users don't have to specify the spc_t seLinuxOptions or TrySkipVolumeSELinuxLabel annotation.

       

      Why is this important?

      We are facing more and more escalation from customers hitting this issue and the workarounds are not adopted due to the lack of automation (needs to manually change the pod definition).

      Scenarios

      1. Provide details for user scenarios including actions to be performed, platform specifications, and user personas.  

      Find automation for the spc_t workaround to that users don't have to add it to their pod definition
      Find automation for the TrySkipVolumeSELinuxLabel workaround to that users don't have to add it to their pod definition

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.

       

      Proposal

      The proposal is at https://hackmd.io/4HsVTfTjTZ-pO23r7e_7SQ?view 

      Acceptance Criteria

       

      Open questions::

      1. Are users okay with a marking namespaces/projects within which the pods are injected with the workaround?
      2. Is there a preference between the two workarounds?
      3. Migration once this is fixed upstream. 

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              gausingh@redhat.com Gaurav Singh
              mpatel1@redhat.com Mrunal Patel
              Jan Safranek, Ryan Phillips
              Aruna Naik Aruna Naik
              Matthew Werner Matthew Werner
              Mrunal Patel Mrunal Patel
              Derrick Ornelas Derrick Ornelas
              Votes:
              2 Vote for this issue
              Watchers:
              24 Start watching this issue

                Created:
                Updated:
                Resolved: